In documentation there are many examples of many ways how to manage access control for certain routes.
There I have my access_control block in security.yml where I describe which page can be accessed by which role:
security:
access_control:
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/trainee, roles: ROLE_TRAINEE }
- { path: ^/university, roles: ROLE_UNIVERSITY_PROFESSOR }
- { path: ^/company, roles: ROLE_COMPANY_TUTOR }
Now these routes can be only accessed with these ROLES and no other.
There in these routes I have some forms and I am wondering if access_control is enough for these forms not to be reached by other ROLE?
I saw some examples on the internet where people are puting isGranted() in form submission:
if ($form->isValid()) {
if (!$authorizationChecker->isGranted('ROLE_TRAINEE')) {
throw new AccessDeniedException();
}
// ...
}
But again here, I am not sure if they are protecting these routes from access_control or only from the inside of controller with isGranted().
Could someone explain the difference and if I should also protect forms with isGranted() even tho routes are protected from access_control?
having the access control rules is enough, if your form is behind an uri which matches the access_control's regex (why dont you simply test this ...?)